Systematic Literature Review on risk management in agile and plan driven software development

Rapport, 2016

Context: Software development is a process prone to high level of risk due to issues in development phases, management strategy and the environment where it is performed. Agile development approaches are assumed to have less risk resolution in comparison with traditional approaches. Although, this is well accepted in industry and academia, to the best of our knowledge, there have not been any studies investigating this difference.
Objectives: The main objective of this paper is to investigate whether risk resolution is affected by the choice of development process. Further, we investigated application domains, research methods, types of risk (i.e. perceived risk as perception of risk by practitioners, or actual risk as risk compiled from project historical data), software development and project management phases, and development models reported on in the papers included in this study.
Methods: A Systematic Literature Review (SLR) was conducted in the fields of software engineering, project management and risk management. Using a set of rigorous inclusion and exclusion criteria 78 primary studies were selected. From this information relevant to our research questions was collected.
Results: No publications were found that report a difference in risk resolution between agile and traditional development approaches. The most common application domains are defense, financial sector and Information Systems industry each addressed by three primary studies and the most applied research method is design of models (49 publications). Perceived risk is the most popular type of risk addressed by 41 primary studies. Requirement analysis (18 publications) and planning (23 publications) are respectively the most addressed development and management phases. Lastly a combination of agile and plan driven approaches was addressed the most nine primary studies.
Conclusion: The results from this SLR highlight a demand for empirical research on risk management applied in different development processes. Further, data from additional domains should be added to the body of knowledge in order to investigate generalizability of the findings. Moreover, due to lack of data, actual risk is not investigated as much as perceived risk, which highlights the demand field for quantitative studies in the research.